GM ‘spends 5 years’ fixing car security vulnerability

General Motors has spent up to five years fixing a security vulnerability that left millions of cars susceptible to being hacked.

It has taken General Motors (GM) up to half a decade to resolve a security vulnerability in its OnStar car management system, it has been revealed.

Security researchers at the University of California at San Diego and the University of Washington first made the discovery back in 2010 while testing the security of a 2009 Chevy Impala, Wired magazine reported.

However, the experts decided not to publish their findings in a paper and instead opted to tell the American car manufacturer directly just what they had uncovered.

The team also informed the National Highway Traffic Safety Administration of the flaw, which they concluded left millions of vehicles at risk of being attacked.

This vulnerability meant that a cybercriminal had the ability to not only access data gathered by the vehicle’s computer system, but the ability to also disable its brakes.

“We basically had complete control of the car except the steering,” Karl Koscher, one of the a security researchers who helped identify the defect, told Wired.

“Certainly it would have been better if it had been patched sooner.”

While GM’s response may be seen as being sluggish and careless, it isn’t atypical – the researchers were keen to highlight the fact that this laboured approached to resolving the vulnerability is not a standalone case.

They argue that the automotive industry in general has been slow to respond to the safety implications that come with increasingly computerized and web-connected cars.

“They just didn’t have the capabilities we take for granted in the desktop and server world,” explained Stefan Savage, professor of Computer Science and Engineering at the University of California at San Diego and one of the lead researchers on the car hacking project.

“It’s kind of sad that the whole industry was not in a place to deal with this at the time, and that today, five years later, there still isn’t a universal incident response and update system that exists.”

In related news, it was revealed last month that the findings of a similar study were prevented from being published by a UK High Court judge for up to two years.

In 2013, the University of Birmingham in the UK and Radboud University in the Netherlands had intended on releasing their paper on a vulnerability they had identified in the Megamos Crypto transponder (which is widely used Audi, Fiat, Honda, Volkswagen and Volvo cars).

However, at the time, the High Court judge agreed with Volkswagen’s claim that public access to the report would reveal key details that could be used by cybercriminals for malicious reasons.